CVE-2025-71177

Name of the Vulnerable Software and Affected Versions LavaLite CMS versions up to and including 10.1.0

Description LavaLite CMS is affected by a stored cross-site scripting issue in the package creation and search functionality. Authenticated users can inject crafted HTML or JavaScript into the Name or Description fields during package creation. This malicious content is stored and subsequently displayed without proper output encoding when other users view package search results, leading to script execution in their browsers. This could allow for session hijacking, credential theft, and unauthorized actions.

Recommendations Versions prior to 10.1.0 should be updated.